ExploitMe Mobile Defective Mobile Application for your hacking pleasures!

ExploitMe Mobile
Defective Mobile Application for your
hacking pleasures!
An ExploitMe Series Production
Version 0.93
Page | 1
The ExploitMe Series
This document is for informational purposes only. Security Compass MAKES NO WARRANTIES, EXPRESS, IMPLIED,
OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
This document is provided ―as-is. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Copyright © 2012 Security Compass Inc. All rights reserved.
Page | 2
ExploitMe Mobile
(EMM) is a Security
Compass open source project demonstrating
common mobile application vulnerabilities in
the iOS and Android platforms. ExploitMe
Mobile is a training platform built based on the
common mobile application security pitfalls.
The entire source of the project can be found
on github - github.com/SecurityCompass
T ECHNICAL D ETAILS
ExploitMe Mobile training platform is built on
client-server model. The server component is
shared between the iOS and Android client and
can be used simultaneously. The diagram below
outlines the architecture of the ExploitMe
Mobile platform.
The objectives of the ExploitMe Mobile training
platform are:
Capture the common security related
mobile application development pitfalls
within a mobile application for iOS and
Android platforms.
Build in intentionally vulnerable client and
server side code to illustrate business level
impact of technical mobile application
vulnerabilities.
Develop a learning platform that can
educate developers on secure coding
practices.
Create an openly available platform that
encourages community collaboration.
All the vulnerabilities featured in the ExploitMe
Mobile training platform are inspired by the
results of mobile application security
assessments performed by Security Compass
consultants across various industry verticals.
The iPhone and Android versions of ExploitMe
Mobile feature the top 80% of all Medium, High
and
Critical
risk
mobile
application
vulnerabilities in the following broad categories:
Parameter manipulation
Protocol encryption
Password lock screens
File system access permissions
Insecure storage of files
Insecure logging
EMM
Android
Client
EMM iOS
Client
Lab
Server
EMM LAB SERVER
The ExploitMe Mobile Lab Server component is
the heart of the platform. The server contains
the backend business logic that the mobile
client
applications
are
designed
to
communicate with. In order to maintain
simplicity, the Lab Server component is
designed as a simple HTTP REST server that
returns JSON arrays. The Lab Server is built
using Python Flask micor-framework and is
easily extensible to add functionality to the
application. For further details on the Lab
Server component, please visit Security
Compass’s Github page https://github.com/SecurityCompass
Page | 1
EMM ANDROID & IOS CLIENTS
ExploitMe Mobile is primarily a Mobile Banking
application designed in native code for the iOS
and Android platform. The functionality of the
application is identical across both platforms.
This client application communicates with the
lab Server component to authenticate, retrieve
data, perform transactions etc. All the
ExploitMe Mobile hands-on labs are designed to
hack the client applications and train
developers to code securely on both the
platforms.
1. iOS Lab Launch the lab server:
python app.py
2. Launch the application in the simulator.
3. Launch your favorite proxy and ensure that
MacOSX is set up to use the proxy server.
The iPhone simulator obeys the OSX
settings for a proxy. You can configure it in
Preferences -> Network & Sharing ->
Proxies.
E XPLOIT M E M OBILE L ABS
ExploitMe Mobile features hands-on lab
exercises to guide users to hunt for
vulnerabilities within the application. In order
to set your environment up to execute the labs,
please refer to the following documentation
pages hosted on GitHub:
iOS Labs Setup http://securitycompass.github.com/iPhoneL
abs/setup.html
Android Labs Setup http://securitycompass.github.com/Androi
dLabs/setup.html
IOS LAB 1 - SECURE CONNECTIONS
In the first lab, we will use a proxy server such
as Charles to proxy the ExploitMe Mobile clientserver communication channel. This guide
assumes you have configured your environment
by following the steps outlined in the above
links.
4. Ensure that your proxy is correctly
accepting network traffic and then run
the iPhone ExploitMe Mobile lab in the
simulator. Once the simulator is
running, login using the standard login
and password jdoe/password for the
user, or if you’ve already logged in
before, enter your local password you
configured on first run.
Page | 2
5. It is clear that the application is using
clear-text at this point and that HTTP
traffic can be trapped and modified.
This is often the first step to attacking
any mobile application and if you’ve
made it this far, you now are able to
fully act as a man in the middle against
any iPhone application.
IOS LAB 1 SECURE CONNECTIONS - SOLUTION
1. We want to encrypt the communication
between the client and server so that
we can’t so easily man-in-the-middle it.
Since we are using HTTP for
communication, all we have to do is
change the protocol to HTTPS and thus
enable SSL/TLS.
6. In the following screenshot, we can see
that EMM sends user credentials upon
first entry to the application in cleartext. The username and password is
clearly shown.
2. We re-launch the server in ssl mode
and run it on port 8443:
python
8443
7. You can achieve the same effect by
using wireshark. Since both the
simulator and the server are running on
the same server, we need to monitor
the loopback interface (lo0) to view
communication
between
your
computer and itself.
app.pyt
--ssl
--port
3. In the iPhone simulator, under Settings
-> Base we change the URL to
http://localhost:8443:
4. Now, we can see in Wireshark that the
communication is encrypted:
Page | 3
7. Above, Charles can decrypt the SSLencrypted traffic for us since we
accepted the Charles certificate as valid
in the simulator.
ANDROID LAB 1
The android apk that we’ll use for most labs is
the base.apk
5. We can still use Charles (or another
proxy) to intercept SSL traffic as long as
we accept the Charles SSL certificate in
the iOS simulator. More information on
how to do that here.
6. When using a proxy that intercepts SSL,
we can see the decrypted traffic:
This is a simple lab, but it demonstrates a key
point that sometimes is forgotten, which is that
mobile device traffic can still be sniffed. The
Android emulator has a built in setting to
capture network traffic which makes it much
easier for us to sniff data from android
applications.
1. To run, we perform:
emulator.exe -avd emu -tcpdump
test.cap
2. Now, we have to run the Lab Server:
python app.py
3. Now, launch the Lab APK file and install
it to the emulator through any IDE of
your choice, in our case, we’ll use
Eclipse.
4. Upon first launch, the lab will ask for a
username and password to your
banking account. This, like in a real
application could either be done
securely (encrypted) or insecurely.
Page | 4
6. Let’s analyze how the application
performed the login procedure. Open
up the cap file in Wireshark. Find the
HTTP stream where the application logs
in within the packet history. You’ll see it
highlighted by HTTP and green.
ANDROID LAB 1 - SOLUTION
We want to enable HTTPS so that the
connection can’t be snooped. We do this by
first running the server in SSL mode:
python app.py --ssl --port 8443
Then, we enable HTTPS in the preferences of
the client application:
5. The first lab is about network
encryption, so clearly we’ll have to look
at the network TCP dump to see how
the
application
is
performing
authentication.
Page | 5
LAB 2 PARAMETER MANIPULATION
The parameter manipulation lab is contained
within the bank transfer section.
The purpose of this lab is to demonstrate that
many common iPhone applications still rely on
traditional web architectures or REST interfaces
in the back end to perform their tasks. Often, if
you’re able to trap the request, you can make
the application or server act in ways it may not
have felt possible.
1. First, enter the bank money transfer
screen within the ExploitMe Mobile
application.
2. There are a number of accounts
preconfigured in EMM’s default Lab
server configuration. We’ve logged in
before using the jdoe account. The two
usernames we have preconfigured and
their bank account numbers are:
jdoe / password
o Debit: 123456789
o Credit: 987654321
bsmith / password
o Debit: 111111111
o Credit: 22222222
3. In this lab, we’ll try to transfer money
between accounts on the server by
intercepting the EMM app request.
Again, this traditionally isn’t any
different from web exploits, but most
apps work in the same manner so it’ll
be good to see how it works on the
mobile app space.
Page | 6
4. Fill in the transfer screen and ensure
your proxy is trapping the request.
LAB 2 - SOLUTION
The solution here is the same as it would be in a
regular web app, we have to perform some
validation on the server.
#validate
that
accounts
belong to user:
if
to_account.user
!=
session.user
or
from_account.user
!=
session.user:
return
error("E6")
#validate
that
amount
positive
if total_cents < 0:
return error("E5")
is
O THER L ABS
In addition to the above labs, ExploitMe Mobile
features more hands-on exercises to walk
through the various mobile application security
vulnerabilities designed into the application.
Please refer to the following GitHub pages for
detailed documentation on all the iOS and
Android labs.
iOS Labs http://securitycompass.github.com/iPhoneL
abs/index.html
Android Labs http://securitycompass.github.com/Androi
dLabs/index.html
More on mobile security course is available
from
http://labs.securitycompass.com/mobile/ne
w-mobile-security-course-and-exploitmemobile/
O THER R ESOURCES
Security Compass’s Blog –
http://labs.securitycompass.com
Security Compass’s Mobile Case Study –
http://securitycompass.com/company/case
-studies.html#!/mobile-security-assessment
Security Compass’s Mobile Assessment –
http://securitycompass.com/services/mobil
e-security-assessment.html
Page | 7
What can we do for you?
We understand application security and strive to provide
you with the best consulting & training experience for
you and your organization.
Our consultants are helping our clients manage real
world security risks. Our experience in managing these
same risks enables us to deliver training material with the
latest threats and vulnerabilities seen in every day
engagements.
What does that mean? It means that we are here to help
you and your staff to respond with forward thinking
concepts to securing your business.
Here to help.
Reach out to Security Compass’ advisors who can help by
emailing us at GuideMe@securitycompass.com.
Page | 8